runas.eu
Run application as administrator with Runas and run as alternative
Runas with password, to run application as administrator from standard user, is possible with alternative runas tools. Test and difference of runas, cpau, steel run as, encrypted run as, su run, runasspc, secure runner,...
A lot of runas alternatives accept a password as argument to run software with administrator rights from a user account.
Most of this utilities store the administrator credentials encrypted, but security problem are the reversible encryption, which is necessary, that applications can start with that stored administrator password.
Nevertheless , I don’t want to miss this run as administrator alternatives in a lot of situations and solutions.
Not at least, because of unsecure software and other security problems on the windows system.
By this tools I can install, uninstall and update workstations very easy, quick and efficient with security patches, to protect my clients against attacks from outside.
I can run a script with administrator privileges or delegate a task with administrator rights to a user.
A separate local administrator account, i can manage central in domain, for that runas password utilities or changing the password regularly, minimize the risk that hacker, sitting in front of your computer, can hack and use this password.
Against that risk, there are runas utilities at the bottom of the list, which can do its job, without to save the login information.
A lot of IT trainer know about the efficiency of this tools and recommend this alternative tools for a quick solution.
-
RunAs Microsoft Windows
-
CPAU
-
RunAsSpc
-
Runapp
-
SteelRunAs
-
WinGnut Encrypted RunAs
-
RunAs Professional
-
Secure Runner
-
RunAsTool
-
RunItAs
-
RunAsGui
-
PCWRunas
-
SuRun
-
RunAsRob
In this blog I post my test and my notes of runas and alternatives i found.
RUNAS from Microsoft.
- Tool is integrated into Windows System, need no installation procedure.
- Compatible with User Access Control, if software request elevated rights from system to run as administrator.
- If executed software don't request elevated permissions on UAC, it doesn't run with administrator privileges.
- Using a domain account and a local account to run application as administrator is possible.
- You can set program parameters for the starting application.
- No Encryption of the call is possible. You must enter the administrator password after the call.
- 64 Bit compatible.
- Compatible to Unicode. Credentials and directories can have Chinese and other unicode characters.
- Calling application can't controlled by checksum.
- Supported batch files.
- Supported installation files like msi, msp. Not directly, but you can call msiexec.exe, with corresponding msi or msp file as arguments.
- Scripts like Powershell, WSH Windows Script Host or others can used if you call the interpreter as mainprogram and the script as parameter.
- Can call files from network.
- Free to use.
- Argument runas password is not available to launch application as administrator, without enter the admistrator password each time. There is an option runas savecred which save credentials in a manager, but this stored login information can used to start everything on the system.
RunAs Microsoft
CPAU the oldest tool, but works like a charm if you consider some restrictions.
- Portable software utility.
- Cannot request elevated privileges from an active UAC system, if executed software ask for it, to run application as admin.
- Software does not run as administrator on UAC system, but works, if you disable the User Access Control.
- Using a domain account to run program as administrator is not possible, you have to use a local account.
- You can set program parameters for the starting application.
- Encryption of the call and its credentials is possible, but did not work in my test. I can encrypt a file but if i decript the application start without administrator credentials.
- 64 Bit compatible. Can find and use the 64Bit directories in System and Registry. It is important if you want to install a 64 Bit software over CPAU.
- Incompatible to Unicode. Credentials and directories must not have Chinese and other unicode charactes.
- Calling application can't controlled by checksum. User can easy rename another software to run it over the same call.
- Supported batch files.
- Supported installation files like msi, msp. Not directly, but you can call msiexec.exe, with corresponding msi or msp file as arguments.
- Scripts like Powershell, WSH Windows Script Host or others can used if you call the interpreter as mainprogram and the script as parameter.
- Can call files from network.
- Free to use.
CPAU
RunAsSpc is also very old, but still supported today and compatible with UAC.
- Portable software need no installation procedure. Can be deployed on clients where it isn't installed.
- Compatible with UAC if executed software request elevated privileges from system to run as admin.
- If executed software do not request elevated permissions on an UAC System you can use the free add-on Runelevated.
- Domain and local login be allowed.
- To use program parameters are possible.
- Encryption of call and credentials are possible.
- There is a 32 Bit and 64 Bit version. 32 Bit can also used on 64 Bit systems.
- Unicode compatible. Credentials and directories can be in asian and other special characters.
- Calling application can controlled by checksum to avoid that user call another renamed application with the same configured encrypted file.
- Call a batch file is possible.
- Suport installation files. Msi, msc, msp can used directly.
- Scripts like Powershell, WSH Windows Script Host or others can used if you call the interpreter as application and the script as an argument.
- Files from network are supported.
- Free for private use. 4.80 USD the first 10 licenses than 1.20 USD each additional license.
RunAsSpc
RunApp has the nice feature that a time period can set when the allowed call should be expired.
- Need installation and is not portable. You can't use a configured call on machines where it isn't installed.
- Required privileges are not requested on UAC system, if software need it, to run as admin.
- Not compatible with User Access Control, program can not run with elevated privileges. You must turn off the UAC.
- Domain accounts are not possible. Only suitable in a local environment.
- Program parameters for the starting application are supported.
- Encryption of the call and the credentials is possible.
- Not compatible with 64 Bit. Can't find the 64Bit directories in System and Registry. Not recommended for 64 Bit applications.
- Unicode compatible. Credentials and directories can be in asian and other specical characters.
- Calling application can controlled by checksum to avoid that user call another renamed application with the same configured encrypted file.
- Calling batch files possible.
- Support of installation files msi, msp not directly, but you can call msiexec.exe, with corresponding msi or msp file as arguments.
- Scripts like Powershell, WSH Windows Script Host or others can used if you call the interpreter as application and the script as parameter
- Files from network are not supported.
- 29 Euro each workstation license.
- Mixed in german and english language, but comprehensible.
Runapp
Steel RunAs create an exe file of the call which can directly execute.
- Required installation on client
- Not compatible with User Access Control if application need elevated rights to run as administrator.
- Incompatible with UAC if executed software don't request elevated permissions. But application running as administrator after turn off the UAC.
- Domain and local credentials can be used.
- Program arguments are supported.
- Encryption of call and credentials are possible.
- Not compatible with 64 Bit. Can't find the 64Bit directories in System and Registry. Not recommended for 64 Bit applications.
- Incompatible to Unicode. Credentials and directories must not have Chinese and other unicode characters.
- Calling application controlled by checksum to avoid that user call another renamed application with the same configured encrypted file. Checksum is obligated, a disadvantage in some cases.
- Call a batch file is possible.
- No support of installation files msi, msp directly.
- Scripts like Powershell, WSH Windows Script Host or others can used if you call the interpreter as application and the script as an argument.
- Files from network are not supported.
- 10 USD single workstation license. Enterprise license included 10 licenses 20 USD.
SteelRunAs
Wingnut Encrypted RunAs can use mapped network drive letters of the user.
- Need installation on client
- Not compatible with User Access Control if software request elevated rights from system to run as admin.
- Not compatible with UAC if executed software don't request elevated permissions to run with administrator privileges.
- Domain and local credentials can be used.
- To use program parameter is possible.
- Encryption of call and credentials are possible.
- Not compatible with 64 Bit. Can't find the 64Bit directories in System and Registry. Not recommended for 64 Bit applications.
- Incompatible to Unicode. Credentials and directories must not have Chinese and other unicode characters.
- Calling application controlled by checksum to avoid that user call another renamed application with the same configured encrypted file.
- Call a batch file is possible.
- Supported installation files msi, msc directly.
- Scripts like Powershell, WSH Windows Script Host or others can used if you call the interpreter as application and the script as an argument.
- Execute files from network is possible.
- 6 USD single workstation license.
WinGnut Encrypted RunAs
RunAsPro has an option wait until started process has terminated. This can be helpful in batch processing if one process have to wait until another is closed.
- Need installation on client.
- Incompatible with User Access Control, if software need elevated privileges to run as admin.
- Incompatible with UAC if software don't request elevated privileges. It's working after turning off UAC.
- Domain and local credentials can be used.
- Program arguments are allowed.
- Encryption of call and credentials are possible.
- Not compatible with 64 Bit. Can't find the 64Bit directories in System and Registry. Not recommended for 64 Bit applications.
- Incompatible to unicode. Credentials and directories must not have Chinese and other special characters.
- Calling application controlled by checksum to avoid that user can call another application by renaming, with the same configured encrypted file.
- Call a batch file is possible.
- No support to installation files msi, msc directly.
- Scripts like Powershell, WSH Windows Script Host or others can used if you call the interpreter as application and the script as an argument.
- Run files from network is supported.
- 10 EURO single workstation license.
RunAs Professional
Secure Runner from Dolinay Soft use a service on client to run an application with Administrator privileges and is UAC compatible.
- Need installation on client and need a system service continuously running on client.
- Compatible with UAC if software request elevated rights from system to run with administrator privileges.
- If executed software don't request elevated privileges on UAC System, it start with elevated rights anyway.
- Domain and local credentials can be used.
- Program arguments are possible.
- Encryption of call and credentials are possible.
- Not compatible with 64 Bit. Can't find the 64Bit directories in System and Registry. Not recommended for 64 Bit applications.
- Not compatible with unicode. Credentials and directories must not have Chinese and other unicode characters.
- Checksum of calling application not possible. An application can be renamed into an allowed application name to start it with administrator privileges.
- Call a batch file is not supported, but can add manually.
- No support to installation files msi, msc directly.
- Scripts like Powershell, WSH Windows Script Host or others can used if you call the interpreter as application and the script as an argument.
- Use files from network is possible.
- Free for private use.
Secure Runner
RunAsTool comes with comfortable gui with all allowed applications and save the password encrypted in registry not in a file.
- Required installation on client only because of one registry entry. Portable if you export and import the registry path of RunAsTool.
- Compatible with UAC if software request elevated rights from system to run as administrator.
- Start all applications with elevated privileges, even if it is not requested. Like cmd.exe, a batch file, scripts or other programs which don't need this permissions.
- Only a local computer account can be used as administrator account.
- Program parameters are supported.
- Encryption of call and credentials are possible. Stored in registry.
- Compatible with 64 Bit. Find the 64Bit directories in System and Registry. Can be used for 64 Bit applications.
- Full compatible with unicode. Credentials and directories can have Chinese or other special characters.
- Checksum of calling application is not supported but the size of allowed file will be examined.
- Batch files are supported.
- Support to msi, msc files directly.
- Scripts like Powershell, WSH Windows Script Host or others can used if you call the interpreter as application and the script as an argument.
- Network files can not be used.
- Free.
RunAsTool
RunItAs has a clear graphical user interface and is easy to use.
- Need installation on client.
- Incompatible with UAC if software request elevated privileges form system to run as with elevated rights.
- Incompatible with UAC if software don't request elevated privileges to run with administrator rights.
- Domain and local credentials can be used.
- Program parameters are allowed.
- Support of encryption of call with login information.
- Incompatible with 64 Bit. Can't find the 64Bit directories in System and Registry. Not recommended for 64 Bit applications.
- Not compatible to Unicode. Credentials and directories must not have Chinese and other special characters.
- Checksum of calling application is not supported. User can rename a not allowed file into an allowed file to execute it.
- Batch files are supported.
- No support to msi, msc files directly.
- Scripts like Powershell, WSH Windows Script Host or others can used if you call the interpreter as application and the script as an argument.
- Network files can not be used.
- Free.
RunItAs
RunAsGui comes with a Wizzard for configuration and is portable like CPAU and RunAsSpc.
- Need no installation on client, it is portable.
- Incompatible with UAC if software request elevated privileges form system to start with administrator privileges
- Incompatible with UAC if software don't ask for elevated rights to launch as administrator.
- Domain and local credentials can be used.
- Program parameters are supported.
- Support of encryption of call with login information.
- Incompatible with 64 Bit. Can't find the 64Bit directories in System and Registry. Not recommended for 64 Bit applications.
- Not compatible to Unicode. Credentials and directories must not have Chinese and other special characters.
- Checksum of calling application is not supported. User can rename a not allowed file into an allowed file to execute it.
- Batch files are supported.
- No support to msi, msc files directly.
- Scripts like Powershell, WSH Windows Script Host or others can used if you call the interpreter as application and the script as an argument.
- Network files can be used.
- Free.
- Remark: There is a misconfiguration in default path %programfiles%(x86), which is used. You have to delete (x86) for each configuration of an encryted file.
RunAsGui
PcwRunAs encrypted credentials directly in call. No seperate file with encrypted run as login informations will be needed
- Need installation on client.
- Not compatible if program need elevated privileges from UAC system.
- Not compatible if program do not request the UAC for elevated rigths. You must turn off User Access Control and it works.
- Domain and local credentials can be used.
- Program arguments are allowed.
- Support of encryption of call with login information.
- Incompatible with 64 Bit. Can't find the 64Bit directories in System and Registry. Not recommended for 64 Bit applications.
- Not compatible to Unicode. Credentials and directories must not have Chinese and other special characters.
- Checksum of calling application is not supported. User can rename a not allowed file into an allowed file to execute it.
- Batch files can be used.
- No support to msi, msc files directly.
- Scripts like Powershell, WSH Windows Script Host or others can used if you call the interpreter as application and the script as an argument.
- Network files supported.
- Free.
- Remark: Software in german language but easy to understand.
PCWRunas
RunAsRob, the best choice authorize complete folders, bypass the UAC, need not storing a password to run application as administrator.
- Need installation on client.
- Works with UAC. Software can request elevated privileges on system to run as administrator.
- Compatible with UAC if software don't request elevated privileges. Different login options for various purposes possible.
- Domain and local credentials can be used.
- Program parameters are supported.
- Encryption of call is not necessary because no password is saved. RunAsRob use another procedure than other tools.
- Compatible with 64 Bit.
- Compatible to Unicode.
- Checksum of calling application is not necessary.
- Batch files can be used.
- Directly support for msi, msp installation files.
- Scripts like Powershell, WSH Windows Script Host or others can used if you call the interpreter as application and the script as an argument.
- Network files supported.
- Free for private. 1.50 USD a company license.
- Remark: RunAsRob use another method than other run as tools and write authorized folder and application in registry. A service compare the call with this entry and run it under system or administrator account.
RunAsRob
Next tools comming soon...
Add a comment by writing to comment@runas.eu
Comment: 2018-08-19 Marc Woresh
I miss some points, because only a few runas utilities can use for specific jobs.
To show examples on software could help to see the differences.
Compatible with UAC including bypass UAC dialog complete, is only possible with RunAsRob.
Nevertheless, thank you for this publication.
Answer: 2018-08-20 Oliver Hessing
You are right, runas tools can use in a wide range of possible applications.
But it isn't possible to show all options and more difficult to compare this options, because they all are going different ways.
Your example RunAsRob can go three different ways to run an application as administrator.
RunAsRob can put the user account into the local group of administrators for the specific allowed program.
So the user can work with his own account, settings and profile. This way has a lot of advantages.
By RunAsRob you can also start a specific allowed application with system account.
This second way has a lot of other advantages, because a system account has the most rights on a local system, more than an administrator.
The third way is to run an application with another account. Most runas tools are going this way.
However, run as administrator can mean different things and each solution need its own way.
RunAsRob is the only one i know which can go all three possibilities.
Date: 2024-10-11
Data protection
Imprint